Hi
everyone,
I was creating a presentation last week covering the security risks and weaknesses of social networking websites and I found a few interesting things. The most interesting flaw I found was the poor control around access to users photo albums on Facebook, not the worlds biggest hack by a long way but still interesting.

I contacted Facebook last Thursday and I never received a response so I felt it was time to post the full details on my blog. I think most Facebook users would know that you can give a public URL to every photo and album you upload so that non Facebook users can view them. I wondered if we could exploit this somehow to allow us to access any users photos and albums without being their friends,
without being in groups with them, have friends who are friends with them etc etc I found out it is possible! All you have to do is perform a search, hover over the “add friend” link, fire up the Burp Suite and sit back and wait for the photos!

I have still received no response from Facebook so I have posted the full details here: http://securityninja.co.uk/blog/?p=198

I acknowledge that this isn't a huge flaw and will not change the world of security but it I thought people would find it interesting.
SN

Nice one Gareth.. see, at least you can't slap me round the head since I have a "Secure installation of Joomla".. I should add that the only reason it's secure is because the server is in storage and powered down.. :)

I'm on the other extreme. I never run foreign code on my server. Ever. (Well, there are extremely rare exceptions, I'll give y'all that.)

Being an adolescent websecurity enthusiast, I am obligated to dismiss everyone elses code as inferior.

But anyway, nice. I hate it so much when you haven't stopped giving a shit yet and contact a site about security holes they found and they
1) don't contact you back at all (hi, apple!)
2) see you as a threat and ban you (but don't fix the hole) (hi, random shitty sites!)
3) take 6 months to contact you back (hi, stumbleupon!)

I had been thinking of getting rid of the forum for a while so you gave me the kick I needed ;-)

I think what really frustrated me is that Facebook contacted me very quickly once I posted it on the Full Disclosure mailing list. They have even acknowledged that they received my contact with them and had a ticket open for it yet no one contacted me.

You can also use the FQL (Facebook Query Language) to find the users album id.
Go to hxxp://developers.facebook.com/tools.php?api
Select fql.query under Method and use a query like:
SELECT location, link FROM album WHERE owner=xxxxxxxxxx
SELECT location, link FROM album WHERE owner IN (SELECT uid FROM user WHERE name="Person Name")

Taken from https://foro.elhacker.net/nivel_web/fql_injection-t248423.0.html (Spanish)

QuoteTo a software company, vulnerabilities are largely an externality. That is, they affect you—the user—much more than they affect it. A smart vendor treats vulnerabilities less as a software problem, and more as a PR problem. So if we, the user community, want software vendors to patch vulnerabilities, we need to make the PR problem more acute.

I hadn't seen that quote before but I think it hits the nail on the head. I did try to make it a bigger PR issue by contacting a lot of the main stream IT and IT Security news sites but only one got back to me and that took 5 days - by then Facebook had fixed the flaw (details on the fix here: http://securityninja.co.uk/blog/?p=220).

This is my first disclosure where I have been left feeling disappointed, Facebook were difficult to contact and deal with. Even when I had spoken with them they failed to keep up promises to "keep me informed". I only found out they had fixed it because I noticed it on my own profile.